The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign some malware. This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser.

While it doesn’t generate the same press as a DDoS attack or other types of breaches, hackers are more steadily using stolen and/or expired certificates to spread malware. And, as Jeff Hudson, CEO of Venafi, told me in an email, it is a surprisingly easy way for the hackers to break in:

Organizations’ failure to control and protect cryptographic keys and certificates, the foundation of digital security and online trust, leaves the front doors open for attackers to enter at will and pilfer whatever sensitive data they want, whenever they want. The Opera Software security breach paints a clear picture of how a single digital certificate can be misused to allow a malicious actor to penetrate a network, go undetected and carry out their nefarious activities without working up a sweat.

Unplanned outages from expired certificates can no longer be viewed as an inconvenient IT operations issue, rather these common outdates are symptomatic of much larger security vulnerabilities. It’s become clear that certificate-based attacks have become the attack vector of choice. Organizations must implement effective controls to ensure the safety of their network.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.